Network Intrusion Detection Systems (“NIDS”) are typically designed to monitor network activity in real-time to spot suspicious or known malicious activity and to report these findings to the appropriate personnel. By keeping watch on all activity, NIDS have the potential to warn about computer intrusions relatively quickly and allow administrators time to protect or contain intrusions, or allow the NIDS to react and stop the attack automatically. In the security industry, a NIDS may either be a passive observer of the traffic or an active network component that reacts to block attacks in real-time.
False alarms in an NIDS may be reduced by using a technique called passive operating system (OS) analysis. The typical implementation watches network traffic in real-time to discern the operating system types of the hosts by looking at the raw network packets and matching them against a known list. This method requires that the NIDS have direct access to the network traffic to work and enough processing power to handle the additional workload.